As we push computers to “the edge” building an increasingly complex world of interconnected information systems and devices, security and privacy continue to dominate the national dialog. There is an urgent need to further strengthen the underlying systems, component products, and services that we depend on in every sector of the critical infrastructure–ensuring those systems, components, and services are sufficiently trustworthy and provide the necessary resilience to support the economic and national security interests of the United States.

This update to NIST Special Publication 800-53 (Revision 5) responds to the need by embarking on a proactive and systemic approach to develop and make available to a broad base of public and private sector organizations, a comprehensive set of safeguarding measures for all types of computing platforms, including general purpose computing systems, cyber-physical systems, cloud and mobile systems, industrial/process control systems, and Internet of Things (IoT) devices. Those safeguarding measures include security and privacy controls to protect the critical and essential operations and assets of organizations and the personal privacy of individuals. The ultimate objective is to make the information systems we depend on more penetration resistant to attacks; limit the damage from attacks when they occur; and make the systems resilient and survivable.

Revision 5 of this foundational NIST publication represents a one-year effort to develop the next generation security and privacy controls that will be needed to accomplish the above objectives. It includes changes to make the controls more consumable by diverse groups including, for example, enterprises conducting mission and business operations; engineering organizations developing systems and systems-of-systems; and industry partners building system components, products, and services. The major changes to the publication include:

Making the security and privacy controls more outcome-based by changing the structure of the controls;

Fully integrating the privacy controls into the security control catalog creating a consolidated and unified set of controls for information systems and organizations, while providing summary and mapping tables for privacy-related controls;

Separating the control selection process from the actual controls, thus allowing the controls to be used by different communities of interest including systems engineers, software developers, enterprise architects; and mission/business owners;

Promoting integration with different risk management and cybersecurity approaches and lexicons, including the Cybersecurity Framework;

Clarifying the relationship between security and privacy to improve the selection of controls necessary to address the full scope of security and privacy risks; [emphasis added] and

Incorporating new, state-of-the-practice controls based on threat intelligence and empirical attack data, including controls to strengthen cybersecurity and privacy governance and accountability.

Your feedback on this draft publication is important to us. We appreciate each contribution from our reviewers. The very insightful comments from the public and private sectors, nationally and internationally, continue to help shape the final publication to ensure that it meets the needs and expectations of our customers. Comments can be submitted to sec-cert@nist.gov. NIST anticipates producing the final draft of this publication in October 2017 and publishing the final version not later than December 29, 2017.

The Draft IOT Cybersecurity Act of 2017: According to an article in the National Law Review, this draft legislation was introduced by Senators Mark Warner, Cory Gardner, Ron Wyden, and Steve Daines. The purpose of the legislation is to entice IoT vendors to implement the following designs into their products:

the ability to patch devices;

a commitment to withholding devices from market if they contain known vulnerabilities;

This legislation would mandate that government procurement would be limited to vendors/products that meet these requirements (possibility of case-by-case waivers does exist). Thus, rather than imposing broad regulations across the IoT landscape, this would target anyone interested in reaching the vast government market. Various industry insiders and cyber experts have given positive feedback on this proposed legislation, as the consensus seems to be that this will help entice vendors to make their IoT devices more secure so that these enhancements would be manifest across the public and private sectors.

<Opinion>

I get the value in doing something rather than doing nothing, and I have been on the “IoT is insecure” bandwagon for some time now. However, I still can’t help but think that this is beginning to feel like a piecemeal approach to security and privacy. If we continue to focus on specific industries, or devices, or vendors we run the risk of losing sight of the bigger picture. Personally, I believe we need to focus on data-centric security policies and stop trying to think about edge or network security as the primary points of vulnerability. I would argue that if we focus on the data and privacy we can then design comprehensive architectures that are purpose-built to safeguard that which we hold most important and critical. Yes, edge security and firewalls are going to be a component of that, as will encryption and information silos, along with access control and secure protocols, as well as knowledge transfer and training. However, it is important to keep our eye on the prize, the crown jewels, if you will — the data itself, rather than the medium upon which it flows.

So yes, the draft legislation may help with IoT devices and making them less insecure since consumers care too little about security for any true market driven forces to effectuate these changes. However, if we continue to take a device-by-device, industry-by-industry approach we will be drafting legislation for years and still inevitably something is going to fall through the cracks. If we had focused on data-centric legislation years ago then IoT devices may never have been a cybersecurity issue in the first place.

Wouldn’t a more pragmatic choice be to draft legislation that targets data security and privacy irrespective of the platform? Irrespective of the industry? Irrespective of the intended market? Why not build legislation that protects data. Wouldn’t the natural and logical flow result in the inclusion of such basic product attributes such as the ability to patch devices and use standard protocols and not use hardcoded passwords?

A recent article by Kevin Collier, which appeared in BuzzFeed highlights what seems to be a recurring trend. US officials talk about how important and critical cyber is, and yet top cyber positions remain unfilled and the cyber ranks continue to be understaffed. The article indicates that four key cyber roles: Chief Information Security Officer for the EPA, the CIO for the Department of Homeland Security, the CIO for the Department of the Navy, and the Director of Information Security and Privacy at the Office of Personnel Management are now unfilled.

We continue to hear rhetoric underscoring the importance of our cybersecurity posture, meanwhile, we hear almost daily about new cyberattacks: breaches, ransomware, and voting hacks just to name a few. While at the same time we have numerous leadership positions within cyber that are vacant and similarly the staff positions remain open as the divide seems to grow between the demand for cybersecurity professionals and the number of candidates that possess the requisite skills to fill these slots.

This is a critical issue which plagues the public as well as the private sectors. Until and unless we get serious about cyber and begin to develop a pipeline for a skilled cyber workforce we are going to continue to suffer devastating cyber attacks. We need to act now and it is vitally important that a clear set of priorities is identified and articulated so that we can begin to take the requisite short and mid-term steps necessary both to avert our current cyber issues as well as those that inevitably will plague us going forward.

That starts with leadership and action vs. non-action and disjointed off-the-cuff rhetoric. While we may face imminent threats around the globe from conventional actors, the rise of cyber leaves us exposed and vulnerable both abroad and at-home. If we can’t put people in these leadership positions and give them the tools they need to implement cohesive and intelligent cyber strategies then the coming cyber attacks are likely to increase in both scope and frequency.

(Business Insider) According to an article by Sonam Sheth hackers at DEFCON were able to breach multiple voting machines within only minutes. Sheth’s article states that hackers were able to infiltrate every single one of the thirty voting machines within just moments of having physical access and that even rudimentary access measures had not been safeguarded against (such as adding a physical keyboard and pressing ctrl-alt-del).

Opinion:

Sheth is quick to point out the importance of these vulnerabilities while at the same time downplaying the fact that physical access was required for almost every single hack with nearly all the machines being air-gapped and lacking wi-fi capabilities. While it is true that these vulnerabilities seem to ignore basic cybersecurity measures, one must also remain cognizant of the fact that these are not the latest and greatest machines, these were purchased in the secondary market and many of these are no longer in use throughout the US. Furthermore, in nearly every single instance physical access was a critical element of the hack and voting machines and polling locations are generally fully staffed locations and the voting machines are kept in plain-view and have key-tags to prevent physical access. Additionally, while hacking was possible on many of these machines, changing the vote totals would result in mismatches between ballots and the voting machine — such discrepancies would require operator intervention and verification. I certainly agree that our electronic voting machines should require basic cybersecurity hygiene, however, I am reticent to stipulate that merely because physical access to (mostly) outdated machines demonstrates the ability to access and control these machines that somehow our election process is suspect. That seems an unfair and unfounded characterization and is not at all what was borne out of the DEFCON hacking attempts. However, we should be cognizant of the issues facing electronic voting machines and there should be minimum cybersecurity measures implemented for electronic voting — we just shouldn’t delve into panic mode (at least not yet).

This is an old (2008) and controversial report. I was reading it to prepare for class and just thought I would share, for what it is worth. Its conclusion:

Electrical power is necessary to support other critical infrastructures, including supply and distribution of water, food, fuel, communications, transport, financial transactions, emergency services, government services, and all other infrastructures supporting the national economy and welfare. Should significant parts of the electrical power infrastructure be lost for any substantial period of time, the Commission believes that the consequences are likely to be catastrophic, and many people may ultimately die for lack of the basic elements necessary to sustain life in dense urban and suburban communities. In fact, the Commission is deeply concerned that such impacts are likely in the event of an EMP attack unless practical steps are taken to provide protection for critical elements of the electric system and for rapid restoration of electric power, particularly to essential services. The recovery plans for the individual infrastructures currently in place essentially assume, at worst, limited upsets to the other infrastructures that are important to their operation. Such plans may be of little or no value in the wake of an EMP attack because of its long-duration effects on all infrastructures that rely on electricity or electronics.

The Commission to Assess the Threat to the United States from Electromagnetic Pulse (EMP) Attack was established by Congress through Title XIV of Public Law 106-398. Commissioners were nominated by the Secretary of Defense and by the Administrator of the Federal Emergency Management Agency. See also: the Commission’s website.

After many rounds of peer review, 14 articles were accepted for this proceedings book, which formed the ‘backbone’ of the conference’s sessions and workshops. CyCon’s interdisciplinary nature is reflected in this collection of articles, which can be broadly categorised into three sections: strategy, law and technology.

The publication starts with a focus on strategic cyber security issues, as Martin Libicki provides his perspective on how states can establish effective international norms to limit cyber espionage. This is followed by Max Smeets, who analyses the possible benefits and risks of organisational integration of national offensive cyber capabilities. When discussing the challenges stemming from NATO’s decision to recognise cyberspace as an operational domain, Brad Bigelow highlights the importance of mission assurance and advocates for a clear role for the NATO Command Structure. The strategy section ends with Kenneth Geers, who emphasises the importance and often underestimated value of traffic analysis in cyberspace.

Articles devoted to legal issues start with Ido Sivan-Sevilla’s study of the dynamics of United States federal law with regard to the privacy and security debate. Privacy is also addressed by Eliza Watt, who writes about the role of international human rights law in the protection of online privacy, focusing on the extraterritorial application of human rights treaties. Jeffrey Biller’s contribution then looks at a topical issue in international humanitarian law: the misuse of protected indicators in cyberspace. International humanitarian law is also represented by the following article by Tassilo V. P. Singer, who examines the possible extension of the period of direct participation in hostilities due to autonomous cyber weapons. Emerging international law is discussed in the last two legal articles. Kubo Mačák provides his view of how general international law is influenced by the development of the cyber law of war; and finally, Peter Z. Stockburger observes that there may be arising a new lex specialis governing state responsibility for third party cyber incidents: a ‘control and capabilities’ test.

The third section of the book covers technical cyber security matters. Focussing on the defence of core infrastructure, Robert Koch and Teo Kühn begin by introducing their concept of building an effective intrusion detection system, based on voltage levels and current drain, to protect unsecure industrial control systems. Continuing with the subject of defending cyber-physical systems, Martin Strohmeier et al. propose the establishment of a separate verification layer for sensitive wireless data, powered by crowdsourced sensors connected to the Internet. Fabio Pierazzi et al. then tackle the detection of advanced cyber attacks as they introduce a novel online approach for identifying intrusions, providing an alternative to existing frameworks. Last but not least, Riccardo Longo et al. look at the resilience of certification authorities in a scenario of a large-scale cyber attack and propose a solution by analysing the security of a blockchain-based Public Key Infrastructure protocol.

Comments Off on Ransomware: Beware the Users, and Other Things As well…

Ransomware, Hacks, and Cybersecurity Issues: As long as there are users there will be issues

Various media outlets have reported a dramatic rise in ransomware attacks and the NY Times reported that the most recent attacks impacted over 200,000 machines running the Windows operating systems (OS), across 150 countries. The NYTimes article posits that hospitals, academic institutions, and technology companies were targeted during this cyberattack. The article goes on to state that it is likely that exercising caution while online may have prevented the malware from infiltrating and infecting the networks from the outset. While the malware has been identified as the “WannaCry” variant, it seems a security update was made available by Microsoft nearly two months ago, according to the article. Thus, here we see a double-whammy: 1) administrators were not timely in rolling out updates; and 2) users clicked on or opened e-mails which facilitated the spread (this second point is contentious as some security vendors dispute whether or not the payload was delivered using a typical phishing scheme).

What Now?

Ultimately these things typically seem to come down to the user. While IT professionals can implement policies and procedures to ensure that patches and security updates are applied regularly, it is the user, who can make or break nearly any policy or procedure. Until artificial intelligence takes over and heuristics rule the day, we will continue to see successful (and yet rudimentary) attacks. That may help going forward but it doesn’t help in the here and now, however the following may. There are procedures companies and individuals can implement to limit the damage that ransomware can inflict and hopefully avoid paying a ransom for the return of their un-encrypted data.

One would think that the concept of security updates and remaining current with patches would be a no-brainer; however, clearly that is not the case. Therefore, step zero if you will is to stay on top of this and ensure that all of your computing devices are using the latest supported versions with the latest patches and security updates applied. For a standard user, you should then practice good cyber hygiene, do not click on or open e-mails from unknown senders and do not click links in e-mails unless they are from a trusted source and do not exhibit any of the tell-tale signs (e.,g misspellings, poor grammar usage, link that goes to an unknown domain, etc.). It is equally important that you maintain backups of your data that are in traditional backup format and ideally streamed to the backup device so that the backups themselves stay beyond the reach of ransomware. However, as I found in my previous career, a backup is only as good as the restore and all too often restores are not fully (if at all) tested and this creates a terrible scenario. Ideally you would have a full-scale disaster recovery (DR) plan, however these are largely beyond the expertise of the typical user and even some businesses. Without a DR plan both created and tested, companies will continue to find themselves victims of ransomware and to mitigate risk they will often decide to pay rather than test their restore capabilities for the very first time.

The Short Version:

Know thy sender: if you aren’t certain it is from a trusted source, delete it rather than opening. Same goes for links — type the address to the domain yourself rather than clicking a link you aren’t sure of.

Updates and Patches: turn on automatic updates, download and install the latest security updates, and check manually on a regular basis to ensure those “automatic” features are working.

Backup: if it is worth saving, it is worth backing up. Don’t forget that with the technological advances of handheld devices you should ensure that those are backed up as well.

Restore: test your restores, make sure you can restore a file, a folder, and an entire device. Sometimes a bare-metal restore is the only option to make sure you can bring your data back online with an entirely new device.

Each Agency has 90 days to provide a risk management report to the Secretary of Homeland Security and the Director of the OMB.

DHS, OMB, Commerce, General Services and the White House staff then have 60 days to submit to the President a plan to protect the “executive branch enterprise.” Is that coordination or an ability to designate who is in charge?

For any national security system, the SecDEF and DNI replace DHS and OMB.

An even larger group has 180 days to provide a report on protecting critical infrastructure.

That group includes Secretary of DHS, Secretary of Defense, the Attorney General, the DNI, the Director of the FBI, “the heads of appropriate sector-specific agencies, … and all other appropriate agency heads.”

The order calls for “market transparency of cybersecurity risk management practices by critical infrastructure entities,” presumably so people can vote with their feet. But, much critical infrastructure is either regulated monopolies or in the public sector. So, consumer choice is minimal and demand will not be elastic based upon transparency of poor cybersecurity practices. So, this may simply amount to public shaming as the enforcement mechanism.

A different large group of public agencies is to promote resilience against botnets and the like.

Energy, DHS, and ODNI have 90 days to report on securing the electric grid.

For the nation in general, “it is the policy of the executive branch to promote an open, interoperable, reliable, and secure internet that fosters efficiency, innovation, communication, and economic prosperity, while respecting privacy and guarding against disruption, fraud, and theft.” Note that one side of the balance is only “disruption, fraud, and theft.” There is no mention there of preventing terrorist communications or contraband such as child pornography.”

A report on deterring adversaries is required within 90 days.

A section entitled “International Cooperation” also calls for reports but gives no indication of whether the Administration still supports multi-stakeholderism or will shift to multi-literalism.

For better or worse, the order does not address investigative abilities and criminal enforcement.

The order takes a defense posture and does not promote, yet, offensive cybersecurity.

Professor William Snyder

Ryan D. White

Ryan is currently a third year law student at Syracuse University College of Law, and is also pursuing a Master of Public Administration degree from Syracuse’s Maxwell School of Citizenship and Public Affairs. Ryan spent time with Homeland Security Investigations while pursuing his undergraduate degree at Wesleyan University, and spent his first summer of law school as clerk for the U.S. Attorney’s Office in the Western District of New York. He is a member of Syracuse Law Review, the Journal on Terrorism and Security Analysis, and participates in the Veteran’s Legal Clinic.

Christopher W. Folk

is a 2017 graduate of SU College of Law. A non-traditional student, Christopher returned to academia after spending nearly twenty years in the high tech industry. Christopher served in the Marine Corps, graduated from Cornell University with a B.S. In Applied Economics and Business Management, attended Northeastern University’s High-Tech MBA Program and received a M.S. In Computer Information Systems. Christopher previously worked in Software Engineering. Christopher is currently serving his second term as Town Justice for the Town of Waterloo. Christopher externed with a Cybersecurity firm in the Washington, D.C. area between his first and second year at SU College of Law.

Anna Maria Castillo

is 2016 graduate of Syracuse College of Law. She also holds a Master of Arts in International Relations from Syracuse University's Maxwell School of Citizenship and Public Affairs. She has interned at a London-based think-tank that specializes in transnational terrorism and global security and at the legal department of a defense contractor. She served as an executive editor in the Syracuse Law Review.

Jennifer A. Camillo

is a 2015 graduate of Syracuse College of Law and is a prosecutor. She has served as a law clerk in the United States Attorney’s Office for the Northern District of New York and the Cayuga County District Attorney’s Office and as an extern in the Oneida County District Attorney’s Office. She was a member of the Syracuse National Trial Team and was awarded the Tiffany Cup by the New York Bar Association for her trial advocacy achievements.

Tara J. Pistorese

holds Juris Doctor and Masters of Public Administration degrees from Syracuse University's Maxwell School of Citizenship and Public Affairs and its College of Law. She wrote for this blog when a student. She is now a member of the U.S. Army Judge Advocate General's Corps.

Benjamin Zaiser

is both a scholar and a Federal Agent of the Federal Criminal Police Office of Germany. (Opinions expressed here are his own and not any part of official duty.)